v0.9.0 — untrusted-content envelope + calibrated risk scoring
Prompt-injection surface hardening for fetched public web content.
- Content-safety envelope: fetched text is annotated
untrusted_public_web, reports deterministic injection-risk signals, and the default CLI wraps content between collision-resistant[BEGIN/END UNTRUSTED WEB CONTENT]boundary lines. Python callers still get rawFetchResult.content; useFetchResult.to_untrusted_text()for the safe agent-facing form. JSON output stays content-free + metadata only. Mitigation/packaging boundary, not complete prevention. (#5, thanks @datell1357) - Risk-score calibration: a lone topical keyword (
secret/token/password) no longer escalates tomedium; keyword-only signals without an explicit instruction-override cap atmediuminstead ofhigh.highis reserved for an instruction-override paired with a sensitive action — verified against real pages (Wikipedia/MDN/Django/Stripe docs) so the label stays meaningful.
U8 regression suite: 11 passed.